From 228c55e897a856b51daf153bd522ff74f5e9bb11 Mon Sep 17 00:00:00 2001
From: Ezio Melotti <ezio.melotti@gmail.com>
Date: Sun, 5 Apr 2026 06:31:54 +0800
Subject: [PATCH] Add `permissions: {}` to all reusable workflows (#148114)

Add permissions: {} to all reusable workflows

(cherry picked from commit 1f36a510a2a16e8ff15572f44090c7db43bb7935)
---
 .github/workflows/reusable-context.yml | 2 ++
 .github/workflows/reusable-docs.yml    | 3 +--
 .github/workflows/reusable-macos.yml   | 2 ++
 .github/workflows/reusable-tsan.yml    | 2 ++
 .github/workflows/reusable-ubuntu.yml  | 2 ++
 .github/workflows/reusable-windows.yml | 2 ++
 6 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
index 426bec2f93982c..b433ac8de594d9 100644
--- a/.github/workflows/reusable-context.yml
+++ b/.github/workflows/reusable-context.yml
@@ -33,6 +33,8 @@ on:  # yamllint disable-line rule:truthy
         description: Whether to run the CIFuzz job
         value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }}  # bool
 
+permissions: {}
+
 jobs:
   compute-changes:
     name: Create context from changed files
diff --git a/.github/workflows/reusable-docs.yml b/.github/workflows/reusable-docs.yml
index 89d5f18c557390..69c9b5422adef0 100644
--- a/.github/workflows/reusable-docs.yml
+++ b/.github/workflows/reusable-docs.yml
@@ -4,8 +4,7 @@ on:
   workflow_call:
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
index 846a1ec891a37e..6cdfd36b2f1d4d 100644
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@@ -15,6 +15,8 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-tsan.yml b/.github/workflows/reusable-tsan.yml
index 43e347d306c882..0a3a6f1825ef75 100644
--- a/.github/workflows/reusable-tsan.yml
+++ b/.github/workflows/reusable-tsan.yml
@@ -12,6 +12,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
index bb1b8024d26f1f..5b4aa2c7abcfff 100644
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@@ -12,6 +12,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
 
diff --git a/.github/workflows/reusable-windows.yml b/.github/workflows/reusable-windows.yml
index a3e54703c23596..3f2a4d8211713d 100644
--- a/.github/workflows/reusable-windows.yml
+++ b/.github/workflows/reusable-windows.yml
@@ -13,6 +13,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 env:
   FORCE_COLOR: 1
   IncludeUwp: >-